使用 Azure 逻辑应用中的托管标识对 Azure 资源的访问进行身份验证Authenticate access to Azure resources by using managed identities in Azure Logic Apps

若要在不登录的情况下访问其他 Azure Active Directory (Azure AD) 租户中的资源并对标识进行身份验证,逻辑应用可以使用托管标识(前称为“托管服务标识”,或缩写为 MSI),而不使用凭据或机密。To access resources in other Azure Active Directory (Azure AD) tenants and authenticate your identity without signing in, your logic app can use a managed identity (formerly Managed Service Identity or MSI), rather than credentials or secrets. 由于无需提供或轮换机密,因此 Azure 会为你管理此标识,并且会帮助保护凭据。Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets.

Azure 逻辑应用支持这两种系统分配的托管标识。Azure Logic Apps supports both system-assigned managed identities. 逻辑应用可以使用系统分配的标识(可以在整个逻辑应用组中共享该标识),但不能同时使用这两种标识。Your logic app can use the system-assigned identity, which you can share across a group of logic apps, but not both. 目前,只有特定内置触发器和操作支持托管标识,而不支持托管连接器或连接,例如:Currently, only specific built-in triggers and actions support managed identities, not managed connectors or connections, for example:

  • HTTPHTTP
  • Azure FunctionsAzure Functions
  • Azure API 管理Azure API Management
  • Azure 应用服务Azure App Services

本文介绍如何为逻辑应用设置这两种类型的托管标识。This article shows how to set up both kinds of managed identities for your logic app. 有关详细信息,请参阅以下主题:For more information, see these topics:

先决条件Prerequisites

  • Azure 订阅。An Azure subscription. 如果没有 Azure 订阅,请注册试用版订阅If you don't have a subscription, sign up for a Trial Subscription. 托管标识和需要访问的目标 Azure 资源必须使用相同的 Azure 订阅。Both the managed identity and the target Azure resource where you need access must use the same Azure subscription.

  • 若要为托管标识提供对 Azure 资源的访问权限,需要为该标识向目标资源添加一个角色。To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity. 若要添加角色,你需要 Azure AD 管理员权限,可以将角色分配给相应的 Azure AD 租户中的标识。To add roles, you need Azure AD administrator permissions that can assign roles to identities in the corresponding Azure AD tenant.

  • 要访问的目标 Azure 资源。The target Azure resource that you want to access. 在此资源上,你将为托管标识添加一个角色,该角色可帮助逻辑应用对目标资源的访问进行身份验证。On this resource, you'll add a role for the managed identity, which helps the logic app authenticate access to the target resource.

  • 要在其中使用支持托管标识的触发器或操作的逻辑应用The logic app where you want to use the trigger or actions that support managed identities

启用托管标识Enable managed identity

若要设置要使用的托管标识,请单击该标识的链接:To set up the managed identity that you want to use, follow the link for that identity:

启用系统分配的标识Enable system-assigned identity

若要为逻辑应用设置系统分配的标识,可以使用以下选项:To set up the system-assigned identity for your logic app, here are the options that you can use:

在 Azure 门户中启用系统分配的标识Enable system-assigned identity in Azure portal

  1. Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in Logic App Designer.

  2. 在逻辑应用菜单的“设置”下,选择“标识” 。On the logic app menu, under Settings, select Identity. 选择“系统分配” > “开启” > “保存”。 Select System assigned > On > Save. 当 Azure 提示你进行确认时,选择“是”。When Azure prompts you to confirm, select Yes.

    启用系统分配的标识

    逻辑应用现在可以使用系统分配的标识,该标识注册到 Azure Active Directory,由对象 ID 表示。Your logic app can now use the system-assigned identity, which is registered with Azure Active Directory and is represented by an object ID.

    系统分配的标识的对象 ID

    propertiesProperty “值”Value 说明Description
    对象 IDObject ID <identity-resource-ID><identity-resource-ID> 全局唯一标识符 (GUID),表示 Azure AD 租户中逻辑应用的系统分配的标识A Globally Unique Identifier (GUID) that represents the system-assigned identity for your logic app in an Azure AD tenant
  3. 现在,按照本主题后面的授予该标识对资源的访问权限的步骤进行操作。Now follow the steps that give that identity access to the resource later in this topic.

在 Azure 资源管理器模板中启用系统分配的标识Enable system-assigned identity in Azure Resource Manager template

若要自动创建和部署 Azure 资源(如逻辑应用),可以使用 Azure 资源管理器模板To automate creating and deploying Azure resources such as logic apps, you can use Azure Resource Manager templates. 若要在模板中为逻辑应用启用系统分配的托管标识,请在模板中将 identity 对象和 type 子属性添加到逻辑应用的资源定义中,例如:To enable the system-assigned managed identity for your logic app in the template, add the identity object and the type child property to the logic app's resource definition in the template, for example:

{
   "apiVersion": "2016-06-01",
   "type": "Microsoft.logic/workflows",
   "name": "[variables('logicappName')]",
   "location": "[resourceGroup().location]",
   "identity": {
      "type": "SystemAssigned"
   },
   "properties": {
      "definition": {
         "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
         "actions": {},
         "parameters": {},
         "triggers": {},
         "contentVersion": "1.0.0.0",
         "outputs": {}
   },
   "parameters": {},
   "dependsOn": []
}

当 Azure 创建逻辑应用资源定义时,identity 对象获取这些附加属性:When Azure creates your logic app resource definition, the identity object gets these additional properties:

"identity": {
   "type": "SystemAssigned",
   "principalId": "<principal-ID>",
   "tenantId": "<Azure-AD-tenant-ID>"
}
属性 (JSON)Property (JSON) Value 说明Description
principalId <principal-ID><principal-ID> 托管标识的服务主体对象的全局唯一标识符 (GUID),表示 Azure AD 租户中的逻辑应用。The Globally Unique Identifier (GUID) of the service principal object for the managed identity that represents your logic app in the Azure AD tenant. 此 GUID 有时显示为“对象 ID”或 objectIDThis GUID sometimes appears as an "object ID" or objectID.
tenantId <Azure-AD-tenant-ID><Azure-AD-tenant-ID> 全局唯一标识符 (GUID),表示逻辑应用现在是其中的一名成员的 Azure AD 租户。The Globally Unique Identifier (GUID) that represents the Azure AD tenant where the logic app is now a member. 在 Azure AD 租户内,服务主体与逻辑应用实例具有相同名称。Inside the Azure AD tenant, the service principal has the same name as the logic app instance.

授予标识对资源的访问权限Give identity access to resources

使用逻辑应用的托管标识进行身份验证之前,请在计划使用该标识的 Azure 资源上为该标识设置访问权限。Before you can use your logic app's managed identity for authentication, set up access for that identity on the Azure resource where you plan to use the identity. 若要完成此任务,请在目标 Azure 资源上向该标识分配适当的角色。To complete this task, assign the appropriate role to that identity on the target Azure resource. 以下是可使用的选项:Here are the options that you can use:

在 Azure 门户中分配访问权限Assign access in the Azure portal

  1. Azure 门户中,访问希望托管标识具有访问权限的 Azure 资源。In the Azure portal, go to the Azure resource where you want your managed identity to have access.

  2. 在资源的菜单中,选择“访问控制 (IAM)” > “角色分配”,你可以在其中查看该资源的当前角色分配。 From the resource's menu, select Access control (IAM) > Role assignments where you can review the current role assignments for that resource. 在工具栏上,选择“添加” > “添加角色分配”。On the toolbar, select Add > Add role assignment.

    选择“添加”>“添加角色分配”

    提示

    如果“添加角色分配”选项处于禁用状态,那么你很可能没有权限。If the Add role assignment option is disabled, you most likely don't have permissions. 有关可用于管理资源角色的权限的详细信息,请参阅 Azure Active Directory 中的管理员角色权限For more information about the permissions that let you manage roles for resources, see Administrator role permissions in Azure Active Directory.

  3. 在“添加角色分配”下,选择一个“角色”,该角色授予标识对目标资源的所需访问权限。 Under Add role assignment, select a Role that gives your identity the necessary access to the target resource.

    在本主题的示例中,标识需要一个可访问 Azure 存储容器中的 Blob 的角色For this topic's example, your identity needs a role that can access the blob in an Azure Storage container.

    选择“存储 Blob 数据参与者”角色

  4. 针对托管标识执行以下步骤:Follow these steps for your managed identity:

    • 系统分配的标识System-assigned identity

      1. 在“将访问权限分配到”框中,选择“逻辑应用”。 In the Assign access to box, select Logic App. 出现“订阅”属性时,选择与你的标识关联的 Azure 订阅。When the Subscription property appears, select the Azure subscription that's associated with your identity.

        为系统分配的标识选择访问权限

      2. 在“选择”框下,从列表中选择逻辑应用。Under the Select box, select your logic app from the list. 如果列表太长,请使用“选择”框筛选列表。If the list is too long, use the Select box to filter the list.

        为系统分配的标识选择逻辑应用

  5. 完成后,选择“保存”。When you're done, select Save.

    目标资源的角色分配列表现在显示所选的托管标识和角色。The target resource's role assignments list now shows the selected managed identity and role. 此示例演示如何对一个逻辑应用使用系统分配的标识。This example shows how you can use the system-assigned identity for one logic app.

    向目标资源添加了托管标识和角色

    有关详细信息,请参阅通过使用 Azure 门户为托管标识分配对资源的访问权限For more information, Assign a managed identity access to a resource by using the Azure portal.

  6. 现在,按照支持托管标识的触发器或操作中使用标识对访问权限进行身份验证的步骤进行操作。Now follow the steps to authenticate access with the identity in a trigger or action that supports managed identities.

使用托管标识对访问权限进行身份验证Authenticate access with managed identity

为逻辑应用启用托管标识授予该标识对目标资源或实体的访问权限后,可以在支持托管标识的触发器和操作中使用该标识。After you enable the managed identity for your logic app and give that identity access to the target resource or entity, you can use that identity in triggers and actions that support managed identities.

重要

如果你有想要使用系统分配的标识的 Azure 函数,首先为 Azure 函数启用身份验证。If you have an Azure function where you want to use the system-assigned identity, first enable authentication for Azure functions.

以下步骤演示了如何通过 Azure 门户将托管标识与触发器或操作一起使用。These steps show how to use the managed identity with a trigger or action through the Azure portal. 若要在触发器或操作的基础 JSON 定义中指定托管标识,请参阅托管标识身份验证To specify the managed identity in a trigger or action's underlying JSON definition, see Managed identity authentication.

  1. Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in the Logic App Designer.

  2. 如果尚未这样做,请添加支持托管标识的触发器或操作If you haven't done so yet, add the trigger or action that supports managed identities.

    例如,HTTP 触发器或操作可使用为逻辑应用启用的系统分配的标识。For example, the HTTP trigger or action can use the system-assigned identity that you enabled for your logic app. 通常,HTTP 触发器或操作使用这些属性来指定要访问的资源或实体:In general, the HTTP trigger or action uses these properties to specify the resource or entity that you want to access:

    propertiesProperty 必选Required 说明Description
    方法Method Yes 要运行的操作所使用的 HTTP 方法The HTTP method that's used by the operation that you want to run
    URIURI Yes 用于访问目标 Azure 资源或实体的终结点 URL。The endpoint URL for accessing the target Azure resource or entity. URI 语法通常包含 Azure 资源或服务的资源 IDThe URI syntax usually includes the resource ID for the Azure resource or service.
    标头Headers No 需要包含在传出请求中的任何标头值,如内容类型Any header values that you need or want to include in the outgoing request, such as the content type
    查询Queries No 需要包含在请求中的任何查询参数,如特定操作的参数或要运行的操作的 API 版本Any query parameters that you need or want to include in the request, such as the parameter for a specific operation or the API version for the operation that you want to run
    身份验证Authentication Yes 用于对目标资源或实体的访问进行身份验证的身份验证类型The authentication type to use for authenticating access to the target resource or entity

    作为特定示例,假设要在之前为标识设置访问权限的 Azure 存储帐户中的 Blob 上运行快照 Blob 操作As a specific example, suppose that you want to run the Snapshot Blob operation on a blob in the Azure Storage account where you previously set up access for your identity. 但是,Azure Blob 存储连接器当前不提供此操作。However, the Azure Blob Storage connector doesn't currently offer this operation. 相反,你可以使用 HTTP 操作或另一个 Blob 服务 REST API 操作来运行此操作。Instead, you can run this operation by using the HTTP action or another Blob Service REST API operation.

    重要

    若要使用 HTTP 请求和托管标识访问防火墙后面的 Azure 存储帐户,请确保同时在存储帐户中设置允许受信任 Azure 服务进行访问的例外项To access Azure storage accounts behind firewalls by using HTTP requests and managed identities, make sure that you also set up your storage account with the exception that allows access by trusted Azure services.

    若要运行快照 Blob 操作,HTTP 操作将指定以下属性:To run the Snapshot Blob operation, the HTTP action specifies these properties:

    propertiesProperty 必选Required 示例值Example value 说明Description
    方法Method Yes PUT 快照 Blob 操作使用的 HTTP 方法The HTTP method that the Snapshot Blob operation uses
    URIURI Yes https://{storage-account-name}.blob.core.chinacloudapi.cn/{blob-container-name}/{folder-name-if-any}/{blob-file-name-with-extension} Azure 全球(公共)环境中使用此语法的 Azure Blob 存储文件的资源 IDThe resource ID for an Azure Blob Storage file in the Azure Global (public) environment, which uses this syntax
    标头Headers 是,适用于 Azure 存储Yes, for Azure Storage x-ms-blob-type = BlockBlob

    x-ms-version = 2019-02-02

    Azure 存储操作所需的 x-ms-blob-typex-ms-version 标头值。The x-ms-blob-type and x-ms-version header values that are required for Azure Storage operations.

    重要说明:在 Azure 存储的传出 HTTP 触发器和操作请求中,标头需要 x-ms-version 属性以及要运行的操作的 API 版本。Important: In outgoing HTTP trigger and action requests for Azure Storage, the header requires the x-ms-version property and the API version for the operation that you want to run.

    有关详细信息,请参阅以下主题:For more information, see these topics:

    - 请求标头 - 快照 Blob- Request headers - Snapshot Blob
    - Azure 存储服务的版本控制- Versioning for Azure Storage services

    查询Queries 是,针对此操作Yes, for this operation comp = snapshot 快照 Blob 操作的查询参数名称和值。The query parameter name and value for the Snapshot Blob operation.

    下面是示例 HTTP 操作,用于显示所有这些属性值:Here is the example HTTP action that shows all these property values:

    添加 HTTP 操作以访问 Azure 资源

  3. 现在,向 HTTP 操作添加“身份验证”属性。Now add the Authentication property to the HTTP action. 在“添加新参数”列表中,选择“身份验证”。 From the Add new parameter list, select Authentication.

    向 HTTP 操作添加“身份验证”属性

    备注

    并非所有触发器和操作支持都允许你添加身份验证类型。Not all triggers and actions support letting you add an authentication type. 有关详细信息,请参阅向出站调用添加身份验证For more information, see Add authentication to outbound calls.

  4. 从“身份验证类型”列表选择“托管标识” 。From the Authentication type list, select Managed Identity.

    对于“身份验证”,请选择“托管标识”

  5. 从“托管标识”列表中,根据你的方案从可用选项中进行选择。From the managed identity list, select from the available options based on your scenario.

    • 如果设置系统分配的标识,请选择“系统分配的托管标识”(如果尚未选择)。If you set up the system-assigned identity, select System Assigned Managed Identity if not already selected.

      选择“系统分配的托管标识”

    此示例将继续处理“系统分配的托管标识”。This example continues with the System Assigned Managed Identity.

  6. 在某些触发器和操作上,还会显示“受众”属性,以便设置目标资源 ID。On some triggers and actions, the Audience property also appears for you to set the target resource ID. 将“受众”属性设置为目标资源或服务的资源 IDSet the Audience property to the resource ID for the target resource or service. 否则,默认情况下,“受众”属性使用 https://management.chinacloudapi.cn/ 资源 ID,该 ID 是 Azure 资源管理器的资源 ID。Otherwise, by default, the Audience property uses the https://management.chinacloudapi.cn/ resource ID, which is the resource ID for Azure Resource Manager.

    重要

    请确保此目标资源 ID 完全匹配 Azure Active Directory (AD) 所需的值,包括任何必需的尾部反斜杠。Make sure that the target resource ID exactly matches the value that Azure Active Directory (AD) expects, including any required trailing slashes. 例如,所有 Azure Blob 存储帐户的资源 ID 都需要尾部反斜杠。For example, the resource ID for all Azure Blob Storage accounts requires a trailing slash. 但是,特定存储帐户的资源 ID 不需要尾部反斜杠。However, the resource ID for a specific storage account doesn't require a trailing slash. 检查支持 Azure AD 的 Azure 服务的资源 IDCheck the resource IDs for the Azure services that support Azure AD.

    此示例将“受众”属性设置为 https://storage.azure.com/,以便用于身份验证的访问令牌对所有存储帐户都有效。This example sets the Audience property to https://storage.azure.com/ so that the access tokens used for authentication are valid for all storage accounts. 但是,还可以为特定存储帐户指定根服务 URL https://fabrikamstorageaccount.blob.core.chinacloudapi.cnHowever, you can also specify the root service URL, https://fabrikamstorageaccount.blob.core.chinacloudapi.cn, for a specific storage account.

    将“受众”属性设置为目标资源 ID

    有关使用 Azure AD 为 Azure 存储授予访问权限的详细信息,请参阅以下主题:For more information about authorizing access with Azure AD for Azure Storage, see these topics:

  7. 继续按照所需方式生成逻辑应用。Continue building the logic app the way that you want.

禁用托管标识Disable managed identity

若要停止对逻辑应用使用托管标识,可以使用以下选项:To stop using a managed identity for your logic app, you have these options:

如果删除逻辑应用,Azure 将从 Azure AD 中自动删除托管标识。If you delete your logic app, Azure automatically removes the managed identity from Azure AD.

在 Azure 门户中禁用托管标识Disable managed identity in the Azure portal

在 Azure 门户中,首先删除标识对目标资源的访问权限。In the Azure portal, first remove the identity's access to your target resource. 接下来,禁用系统分配的标识。Next, turn off the system-assigned identity.

从资源中删除标识访问权限Remove identity access from resources

  1. Azure 门户中,转到你要在其中删除托管标识的访问权限的目标 Azure 资源。In the Azure portal, go to the target Azure resource where you want to remove access for the managed identity.

  2. 从目标资源的菜单中,选择“访问控制 (IAM)”。From the target resource's menu, select Access control (IAM). 在工具栏下,选择“角色分配”。Under the toolbar, select Role assignments.

  3. 在“角色”列表中,选择要删除的托管标识。In the roles list, select the managed identities that you want to remove. 在工具栏上,选择“删除”。On the toolbar, select Remove.

    提示

    如果“删除”选项处于禁用状态,那么你很可能没有权限。If the Remove option is disabled, you most likely don't have permissions. 有关可用于管理资源角色的权限的详细信息,请参阅 Azure Active Directory 中的管理员角色权限For more information about the permissions that let you manage roles for resources, see Administrator role permissions in Azure Active Directory.

托管标识现在已删除,不再具有对目标资源的访问权限。The managed identity is now removed and no longer has access to the target resource.

在逻辑应用上禁用托管标识Disable managed identity on logic app

  1. Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in Logic App Designer.

  2. 在“逻辑应用”菜单上的“设置”下选择“标识”,然后按照标识的步骤进行操作: On the logic app menu, under Settings, select Identity, and then follow the steps for your identity:

    • 选择“系统分配” > “开启” > “保存”。 Select System assigned > On > Save. 当 Azure 提示你进行确认时,选择“是”。When Azure prompts you to confirm, select Yes.

      禁用系统分配的标识

托管标识现已在逻辑应用上禁用。The managed identity is now disabled on your logic app.

在 Azure 资源管理器模板中禁用托管标识Disable managed identity in Azure Resource Manager template

如果使用 Azure 资源管理器模板创建了逻辑应用的托管标识,请将 identity 对象的 type 子属性设置为 NoneIf you created the logic app's managed identity by using an Azure Resource Manager template, set the identity object's type child property to None. 对于系统托管标识,此操作还会从 Azure AD 删除主体 ID。For the system-managed identity, this action also deletes the principal ID from Azure AD.

"identity": {
   "type": "None"
}

后续步骤Next steps